The denial of service attack is statistically the most used malicious attack out of them all. This stems from the ease of use of the attack, as well as the alarming lethality. Literally anyone can bring down a website with a simple command prompt. The question is- how do you protect against an attack that can cripple your network or website in a matter of minutes?
Types of Denial of Service Attacks
If you are going to protect against an attack, you first have to know how it works. You must familiarize yourself with the different variations, methods, and plans of attacks that hackers use. Surprisingly, there are at least seven different classifications of denial of service attacks known today.
Ping Flood
The most basic of attacks is the ping flood attack. It relies on the ICMP echo command, more popularly known as ping . In legitimate situations the ping command is used by network administrators to test connectivity between two computers. In the ping flood attack, it is used to flood large amounts of data packets to the victim’s computer in an attempt to overload it. You can see an example of the ping flood attack below.
Notice how we used two commands in particular: -n and –l.
Two Exploitable Commands Using Ping
-
- 1. The –n command tells the prompt to send the request a specified amount of times. The default is four packets, but we sent five.
-
- 2. The –l command tells the prompt how much data to send for each packet. The maximum is 65,500 bytes, while the default is just 32.
This type of attack is generally useless on larger networks or websites. This is because only one computer is being used to flood the victim’s resources. If we were to use a group of computers, then the attack would become a distributed denial of service attack, or DDoS.
The most common cure to the ping flood attack is to simply ban the IP address from accessing your network. A distributed denial of service attack is a bit more complex, but we will take a look at them later on.
Ping of Death
The ping of death attack, or PoD, can cripple a network based on a flaw in the TCP/IP system. The maximum size for a packet is 65,535 bytes. If one were to send a packet larger than that, the receiving computer would ultimately crash from confusion.
Sending a ping of this size is against the rules of the TCP/IP protocol, but hackers can bypass this by cleverly sending the packets in fragments. When the fragments are assembled on the receiving computer, the overall packet size is too great. This will cause a buffer overlflow and crash the device.
Luckily, most devices created after 1998 are immune to this kind of attack. If you are running a network with outdated devices this will indeed be a possible threat to your network. In this case, upgrade your devices if possible.
Smurf / Smurfing
When conducting a smurf attack, attackers will use spoof their IP address to be the same as the victim’s IP address. This will cause great confusion on the victim’s network, and a massive flood of traffic will be sent to the victim’s networking device, if done correctly.
Most firewalls protect against smurf attacks, but if you do notice one, there are several things you can do. If you have access to the router your network or website is on, simply tell it to not forward packets to broadcast addresses. In a Cisco router, simply use the command: no ip directed-broadcast.
This won’t necessarily nullify the smurf attack, but it will greatly reduce the impact and also prevent your network or website from attacking others by passing on the attack. Optionally, you could upgrade your router to newer Cisco routers, which automatically filter out the spoofed IP addresses that smurf attacks rely on.
Fraggle
A Fraggle attack is exactly the same as a smurf attack, except that it uses the user datagram protocol, or UDP, rather than the more common transmission control protocol, or TCP. Fraggle attacks, like smurf attacks, are starting to become outdated and are commonly stopped by most firewalls or routers.
If indeed you think you are being plagued by a fraggle attack, simply block the echo port, located at port 7. You may also wish to block port 19, which is another commonly used fraggle exploitable port. This attack is generally less powerful than the smurf attack, since the TCP protocol is much more widely used than the UDP protocol.
SYN Flood
The SYN flood attack takes advantage of the TCP three-way handshake. This method operates two separate ways. Both methods attempt to start a three-way handshake, but not complete it. You can view the proper three-way handshake below.
The first attack method can be achieved when the attacker sends a synchronize request, or SYN, with a spoofed IP address. When the server tries to send back a SYN-ACK request, or synchronize-acknowledge request, it will obviously not get a response. This means that the server never obtains the client’s ACK request, and resources are left half-open.
Alternatively, the attacker can just choose to not send the acknowledgement request. Both of these methods stall the server, who is patiently waiting for the ACK request. Thankfully, this hole in the three-way handshake has been patched for years, just like the ping of death attack. Should you suspect that your older devices are the subject of this attack, upgrade them immediately.
Teardrop
In the teardrop attack, packet fragments are sent in a jumbled and confused order. When the receiving device attempts to reassemble them, it obviously won’t know how to handle the request. Older versions of operating systems will simply just crash when this occurs.
Operating systems such as Windows NT, Windows 95, and even Linux versions prior to version 2.1.63 are vulnerable to the teardrop attack. As stated earlier, upgrading your network hardware and software is the best way to stay secure from these types of attacks.
Distributed Denial of Service
This is by far the most deadly of all denial of service attacks, since an easy fix is hard to come by. Instead of just installing the latest hardware and software, network administrators will usually need extra help with these types of attacks.
A distributed denial of service attack, or DDoS, is much like the ping flood method, only multiple computers are being used. In this instance, the computers that are being used may or may not be aware of the fact that they are attacking a website or network. Trojans and viruses commonly give the hacker control of a computer, and thus, the ability to use them for attack. In this case the victim computers are called zombies.
A DDoS attack is very tough to overcome. The first thing to do is to contact your hosting provider or internet service provider, depending on what is under attack. They will usually be able to filter out the bulk of the traffic based on where it’s coming from. For more large-scale attacks, you’ll have to become more creative.
If you have access to your router, and are running a Cisco brand, enter the following command into your router command prompt: No ip verify unicast reverse-path.
This will ensure that attackers can’t spoof their IP address. This will still be a problem for zombie computers however, since those IP addresses aren’t spoofed at all. In this case, you can do one of several things.
Options in DDoS Prevention
-
- 1. Hire a security company to assess and repair the damage
-
- 2. Buy an intrusion detection system (IDS)
As a last resort, the traffic can be routed to a sink hole, which will route all traffic elsewhere until a solution can be obtained. This will route good traffic and bad traffic- so this is usually not a good choice.
Closing Comments
As you can tell, the majority of denial of service attacks can be prevented through simply upgrading to the latest hardware and software. In the case of distributed denial of service attacks, we have less simplistic options to work with.
Even giants such as Microsoft have fallen victim to the DDoS attack. Generally, it’s a good idea to not make many enemies- and keep a sharp watch on your network at all times. And in the event that you do track an attacker down, keep two things in mind. First, it may be a spoofed IP address, and thus, a false lead. Second, never attack back. Simply contact the authorities and wait for the justice system to do its work.
Perfect 🙂
Excellent article!
As to DDoS attacks, seems like the most effective prevention method is to pray that they will never happen .. I have a question though, I read about Backscatter attacks on wikipedia.org, I assume this is the type of DDoS attack that happens with spoofed IP addresses, actually when I first read this, I thought there’s no way to stop this kind of attack as you have packets coming from everywhere, but I see you mention here it can be stopped by using this comamnd:
No ip verify unicast reverse-path
in your Cisco router, which will prevent attackers from using spoofed IPs, I wonder how this works though, how can the router know whether the IP is spoofed or not?
Thanks.
Great Article.
Goodday,
This articles are well okay.
very helpful.
its the best article i have seen so far.keep it up. it helped me understand network security baics
Clear and simple explanation.
Thanks!
This article is so awsome XD !
Amazing really !
well done !
Well written but I hope you’re open to critizism.
You talked about all the details of the DoS attacks until you reached the DDos. At that point you just explained what a zombie is which really says nothing about the actual attack of each individual zombie, it only describes that you are being attacked from multiple vectors. Are those vectors using tcp syn, smurf, pod, fraggle, teardrop or what? I would expand on DDos a little more. Maybe cit examples like Kraken or Srizbi and what specifc methods they use.
DDoS attacks are done using the ping flood method.
No ip verify unicast reverse-path is only going to filter out the actual attacker but not all the zombies because they are coming from legit IP’s.
DDoS attack zombies sometimes are in specific geographic areas….so lets say some guys in Korea has it out for your company or website….and 90% of his zombies are in Korea….you can filter whole A or B blocks of IP’s…..if it is truly distributed….things get really hairy really quickly.
I was told to help organize and prevent a DoS attack for a web-site for testing purposes. This was really helpful to start with. Great job! Tnx a lot.
First of, I don’t think buying IDS would effectively help avoiding DDoS. IDS is only after facts device and do not help to overcome such an issue.
IPS could be much better than IDS but still if you don’t have a good relationship with your ISPs by retaining an emergency contacts of the technical staff and proper procedure of what to do if that happen! Because it would a panic time… so some written documents should guide on what do!
Great work. Simple and very comprehensive.
I think most routers have a “block WAN ping” option…..which prevents the network behind that router or set of routers from being pinged to death
does any1 know a simple c++ source code that can help auto detect dos attacks on a network….please help
Isnt it possible to somehow get some QoS to the ICMP Ping port on the router so if its taken up a certain percentage of the bandwidth (like 12% or something) then deny any other packets from that port?
Hello there!
How could i defend against a denial of service attack where the attacker is originated in my network?